Demystifying the cloud shared responsibility security model

Subscribers of cloud services must be fully aware of how they and their providers share the responsibility for securing their cloud footprint.

Laeeq Ahmed

Laeeq Ahmed

Managing Director, GRC Technology, KPMG US

+1 818-227-6032

Brian Jensen

Brian Jensen

Managing Director, GRC Technology, KPMG LLP

+1 817-946-9552

Kyle Kappel

Kyle Kappel

Cyber Security Leader, KPMG US

+1 949-431-7359

A report in the Oracle and KPMG cloud threat 2020 series

In our 2020 cloud threat survey, Oracle and KPMG wanted to gauge to what degree businesses understand the cloud security shared responsibility model, whether organizations have clarified areas of confusion around cloud security since the 2019 survey and whether ongoing confusion has had a material impact on the security of business information. The findings show that there is work to do within the cloud industry collectively. 

The cloud security shared responsibility model varies by service type and provider.

The absence of a single model across the diverse landscape of cloud services requires businesses to take a more proactive approach to understand the shared responsibility model.

Confusion grows as businesses struggle to understand and operationalize the model.

Increased confusion about how a subscriber and a cloud service provider coordinate securing the cloud is further evidence of a problematic cloud security readiness gap that is preventing businesses from operationalizing their obligations.

The ramifications of confusion about the shared model are serious.

The implications of confusion are not trivial, including misconfigured cloud services, resulting in possible data loss, introduction of malware, failed audits and more.

Subscribers seek more transparency from their cloud service providers.

The abstract nature of cloud computing leaves many subscribers wanting to better understand the successes of their cloud service provider's SecOp programs.